Planning resource security
This topic describes each of the components of resource security and how they all work together to protect information on your system. It also explains how to use CL commands and displays to set up resource security on your system.
Resource security defines which users are allowed to use objects on the system and what operations they are allowed to perform on those objects. Also, deciding who will be allowed access to what information on your system is an important part of your security policy.
Now that you have completed the process for planning users on your system, you can plan the resource security to protects objects on the system.
- Confidentiality of information
- Accuracy of information to prevent unauthorized changes
- Availability of information to prevent accidental or deliberate damage
This information provides a basic approach to planning resource security. It introduces the main techniques and shows how you can use them. The methods described here will not necessarily work for every company and every application. Consult your programmer or application provider as you plan resource security.
- Complete an Application description worksheet for each application on your system.
- Reference Planning object authority to plan how you will establish ownership and public authority to your applications after you load them.
- Use the Authorization list worksheet to list the objects that the list and the groups and individuals who have access to the list secure.
- Use the Printer Output Queue and Workstation Security worksheet to list any workstation or output queue that requires special protection.
- Keep your resource security scheme simple.
- Secure only those objects that you need to secure.
- Use resource security to supplement, not replace, the other tools for
protecting information, such as:
- Limiting users to specific menus and applications.
- Preventing users from entering commands by limiting capabilities in user profiles.
Planning security for workstations: After planning resource security for printers and printer output, you can begin planning workstation security. On your Physical Security Plan, you listed workstations that represent a security risk because of their location. Use this information to determine which workstations you need to restrict.
You can encourage the people who use these workstations to be particularly aware of security. They should sign off whenever they leave their workstations. You may want to record your decision about sign off procedures for vulnerable workstations in your security policy. You can also limit which functions can be performed at those workstations to minimize the risks.
The easiest method for limiting function at a workstation is to restrict it to user profiles with limited function. You may choose to prevent people with security officer or service authority from signing on at every workstation. If you use the QLMTSECOFR system value to do this, people with security officer authority can sign on only at specifically authorized workstations. Prepare the workstation portion of the Output Queue and Workstation Security form to document your workstation security policy.
- Move from the general to the specific:
- Plan security for libraries. Deal with individual objects only when necessary.
- Plan public authority first, followed by group authority, and individual authority.
- Make the public authority for new objects in a library (CRTAUT) the same as the public authority you defined for the majority of existing objects in the library.
- Try not to give groups or individuals less authority than the public has. This diminishes performance, may lead to mistakes later, and makes auditing difficult. If you know that everyone has at least the same authority to an object that the public has, it makes planning and auditing security easier.
- Use authorization lists to group objects with the same security requirements. Authorization lists are simpler to manage than individual authorities and aid in recovery of security information.
- Create special user profiles as application owners. Set the owner password to *NONE.
- Avoid having applications owned by IBM-supplied profiles, such as QSECOFR or QPGMR.
- Use special output queues for confidential reports. Put the output queue in the same library as the confidential information.
- Limit the number of people who have security officer authority.
- Be careful when granting *ALL authority to objects or libraries. People with *ALL authority can accidentally delete things.
- Fill in Part 1 and Part 2 of the Library description forms for all your application libraries.
- On your Individual user profile forms fill in the Owner of objects created and Group authority over objects created fields.
- On your Naming conventions form describe how you plan to name authorization lists.
- Prepare Authorization List forms.
- Add authorization list information to your Library description forms.
- Prepare an Output queue and workstation security form.